APEX

I follow official Oracle White Paper about how to do it and everything works nicely, however...

Custom EBS function definition follows this syntax to pass the context information to APEX (as per white paper):
*GWY.jsp?targetAppType=APEX&p=109:3:::::EBS_RESP_ID,EBS_APP_ID,EBS_SEC_GROUP:[RESPONSIBILITY_ID],[RESP_APPL_ID], [SECURITY_GROUP_ID]*

The actual URL that gets generated looks like this (I use different names, but it is very similar):
*..../f?p=702:1:697586553684301::::G_FUNCTION_NAME,G_RESP_ID,G_APPL_ID,G_SECURITY_GROUP_ID:ZPAY_ONLINE_SOE,59352,800,0*

As you see the RESP_ID, APPL_ID, and SECURITY_GROUP values are passed in the URL. All is great except those numbers can be easily manipulated since I cannot apply checksum protection to the defined Application Items. The URL string is constructed by the Oracle seeded jsp page and I do not have any control over it.

Does anyone has an idea how to secure those attributes? I use custom authorization to use the values passed to set the context of the APEX environment.